GNU bug report logs - #70314
[PATCH] guix: scripts: environment: add tls certs to networked containers

Previous Next

Full log

View this message in rfc822 format

From: Ludovic Courtès <ludo <at> gnu.org>
To: Richard Sent <richard <at> freakingpenguin.com>
Cc: Josselin Poiret <dev <at> jpoiret.xyz>, Tobias Geerinckx-Rice <me <at> tobias.gr>, Maxim Cournoyer <maxim.cournoyer <at> gmail.com>, zimon.toutoune <at> gmail.com, Mathieu Othacehe <othacehe <at> gnu.org>, rprior <at> protonmail.com, Christopher Baines <guix <at> cbaines.net>, 70314 <at> debbugs.gnu.org
Subject: [bug#70314] [PATCH v2] guix: scripts: environment: add tls certs to networked containers.
Date: Sun, 23 Feb 2025 23:41:48 +0100

Hi Richard,

Richard Sent <richard <at> freakingpenguin.com> skribis:

> Add the --no-tls flag. By default when starting a container with -N, add the
> nss-certs package to the profile and set the SSL_CERT_DIR and SSL_CERT_FILE
> environment variables. When --no-tls is passed, default to the old behavior.
>
> * guix/scripts/environment.scm (%default-tls-certs): New function.
> (show-environment-options-help): Add help for --no-tls.
> (%options): Add --no-tls option.
> (options/resolve-packages): Add %default-tls-certs to profile when network is
> true and no-tls is false.
> (launch-environment/container): Add set-tls? argument and set
> SSL_CERT_DIR/FILE if #t.
> (guix-environment*): Sanity check no-tls? and pass the negated version to
> launch-environment/container.
> * doc/guix.texi (Invoking guix shell): Document it.
> (Invoking guix environment): Ditto.
> * tests/guix-environment-container.sh: Add tests for behavior with and without
> no-tls flag.
>
> Change-Id: I04735024df025740cb7a0e28f39a3bb5c7fcf895
> ---
> Hi all. Been a while but I figured I'd take another crack at this.

Sorry that it takes so long.

I’m happy with this version though I have one question:

> +            (when set-tls?
> +              (setenv "SSL_CERT_DIR" (string-append profile "/etc/ssl/certs"))
> +              (setenv "SSL_CERT_FILE" (string-append (getenv "SSL_CERT_DIR")
> +                                                     "/ca-certificates.crt")))

What about symlinking /etc/ssl/certs in the container instead of setting
these two variables?

The reason I’m suggesting this is that these two variables are not
universal; example:

--8<---------------cut here---------------start------------->8---
$ ./pre-inst-env guix shell -CN wget coreutils
[env]$ echo $SSL_CERT_DIR/
/gnu/store/hbcsqh12n45bxv3r9992jz1vh63l3krf-profile/etc/ssl/certs/
[env]$ echo $SSL_CERT_FILE 
/gnu/store/hbcsqh12n45bxv3r9992jz1vh63l3krf-profile/etc/ssl/certs/ca-certificates.crt
[env]$ wget -O/dev/null https://guix.gnu.org
--2025-02-23 22:39:48--  https://guix.gnu.org/
Resolving guix.gnu.org (guix.gnu.org)... 2a0c:e300::58, 185.233.100.56
Connecting to guix.gnu.org (guix.gnu.org)|2a0c:e300::58|:443... connected.
ERROR: The certificate of 'guix.gnu.org' is not trusted.
ERROR: The certificate of 'guix.gnu.org' doesn't have a known issuer.
--8<---------------cut here---------------end--------------->8---

The symlink saves us:

--8<---------------cut here---------------start------------->8---
[env]$ ln -s $GUIX_ENVIRONMENT/etc/ssl /etc/ssl
[env]$ wget -O/dev/null https://guix.gnu.org   
--2025-02-23 22:41:06--  https://guix.gnu.org/
Resolving guix.gnu.org (guix.gnu.org)... 2a0c:e300::58, 185.233.100.56
Connecting to guix.gnu.org (guix.gnu.org)|2a0c:e300::58|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 19897 (19K) [text/html]
Saving to: '/dev/null'

/dev/null              100%[==========================>]  19.43K  --.-KB/s    in 0s      

2025-02-23 22:41:07 (168 MB/s) - '/dev/null' saved [19897/19897]

--8<---------------cut here---------------end--------------->8---

Thoughts?

We’ve close to completion, very!

Ludo’.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.